The Requester IP-address and the quoted chosen nickname is different in each request, otherwise the pattern is the same.

The page requested (warning.php) is a real page on my site that mentions a specific hacker group (not "anonymous" btw.) in non-flattering terms. The fact that this specific page is targeted may indicate that they may be irritated - or it may just be a coincidence.

The hacker group in question is (IMHO) an obnoxious bunch of criminals, but they are also quite good at what they do. However, I don't see this as a compentent attack. To me, it looks more like a script-kiddie thing than something a real hacker would try. I really don't understand what padding a legitimate page request with a lot of spaces and some random "chosen nickname" is supposed to accomplish. To me, it does not look like an injection attack. The requests are persistent, but only 40-60 per day - so it is not even some sort of DoS attack.

I've googled for this pattern, but only found this: http://en.forums.wordpress.com/topic/hacked-by-f34rl355-i-guess - which suggests that this is script-kiddie work. However, the fact that whoever doing this has at his disposal at vast number of IP-addresses points in the opposite direction. I've discounted the theory of multiple script-kiddies, since I know of no "script" that have this "thing" as a component, and since all requests are for the same specific page.

What make me a bit concerned is that 1) whoever is doing this is persistant; 2) it targets a specific page on my site.

I don't think this is especially targeted at you or your article. It's a pattern I see repeatedly in links embedded into comment spam hitting spamfilters. So this shows signs of beeing a bot(-net?) running wild.
–
NicktarJan 7 '13 at 15:33

5 Answers
5

Your initial reaction is correct - this is a malicious request. The attack seems to be attempting to leverage an authentication bypass bug in a plugin, but I can't find which one. The attack seems to have been reasonably successful, since a large number of sites that show up on Google are now displaying pharma spam. I'd imagine the attacker is using a botnet or Tor to perform the attacks.

As far as mitigation goes, just block the requests with a firewall or WAF that supports pattern-based blocking. If you can do a regex pattern block, this will work as long as case sensitivity is disabled:

Thanks for the quick reply, that makes sense (I already block these). However, the site in question is static HTML. No WordPress, no plugins. Shouldn't a competent hacker be able to figure that out, and understand that this exploit is useless against my site?
–
Free RadicalJan 7 '13 at 9:39

1

It's probably automated. They'll be using a Google Dork or a similar pattern-based search that is likely just throwing a false positive on your site. Either way, they're clearly not very smart.
–
PolynomialJan 7 '13 at 9:40

There are literally hundreds of "exploit" kits that scan for vulnerable software and attempt to exploit the servers that host them. Some of the more primitive exploit kits will not confirm if a specific product or version of software is running before firing the payload. In your case it seems this is the case and as you say your site is static you should have nothing to worry about in terms of the application being exploited.

Well done being vigilant though, check the whois record for the domains, it may be worth reporting them as the owner may not know they have been a victim of an attack.

This doesn't answer the question, which is 'what is the attack trying to do, and should the OP be concerned' not 'how do I fix it'
–
Rory Alsop♦May 22 '14 at 10:27

1

You are right, but in this case, having the right answer will not do anything to prevent the hacking attempt. That code in .htaccess prevents the hacking attempt (without needing to know attack specifics), and without blocking the IP address, in case there are legitimate users at the same IP. I am sure it is not the ideal solution, but it does prevent the hacking attempt. I only posted because I thought another reader might find it helpful. Thanks.
–
ovtorneMay 26 '14 at 17:12